PUP.Optional.Legacy and PUP.Winlogon.Heuristic False Positives in v7.2.3?

[HighTide]

I've been running Adwcleaner pretty regularly in the past (about once a month), but this is the first time Adwcleaner has reported having such problems on my computer. I don't have access to a previous version to try and confirm a FP that way, but looking at the registry keys themselves makes it seem that way, since it's complaining about my Cisco VPN software, Windows SysAppTray, and the HP Security Manager linked to my Winlogon. Malwarebytes reports no other problems on my computer, so are these just false positives that I can safely ignore, or are they bigger threats that I should be concerned with?

AdwCleaner[S00].txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

• AdwCleaner user guide
• A malicious element isn't being detected? Submit the sample here!
• Need help with another Malwarebytes product or malware removal?
  • Click here for home support
  • Click here for business support
  • Click here for malware removal help

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[jboursier]

Hello,

FPs related to your VPN are fixed with the current database update (no action required on your side, just a scan which will automatically fetch the latest database.

For the HP part, can you do me an export of the registry key please? (`HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon`)

Thanks,

 

[HighTide]

As of the latest update, the two previous PUP.Optional.Legacy detections have vanished, so the only remaining one is the PUP.Winlogon.Heuristic. I'm not entirely sure what you mean by an export of the key, but the object it was complaining about (Userinit), is defined as follows: "C:\Windows\system32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,"

 

Personally I think it's just triggering on the fact that another program is in the registry key aside from userinit.exe .

[exile360]

Greetings,

What he was asking for with regards to an export is an export of the key from the registry so that he may take a look at exactly how it is formatted and written in the registry to determine why it is being detected and so that he might import it into one of his own test systems for testing to hopefully correct the FP.

To create a registry export of the key please do the following:

• Click on Start and select Run or press the Windows Key+R on your keyboard
• In the Run box type regedit and press Enter or click on OK and click Yes if prompted by User Account Control
• Navigate to the following location by clicking the little arrows next to the appropriate folders to expand them: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• Once there, right-click on the Winlogon folder and select Export and then save the file to your desktop or another location where you will be able to find it easily and give it a name such as winlogon
• Locate the file and right-click on it and hover your mouse over Send to and select Compressed (zipped) folder
• Attach the resulting ZIP folder you just created to your next reply
  

[HighTide]

Thanks for the clarification. I've attached the exported + zipped reg file to this reply. Do you need anything else?

winlogon.zip

[HighTide]

Sorry, but should I go on and create another topic? Not sure if this just got lost or something.

[exile360]

@fr33tux the reg export has been provided by the user if still needed.

That will alert him so he should respond soon, though it may not be until Monday if he doesn't work on weekends.

[HighTide]

I'm not entirely sure what's happened, but it seems like he either didn't get the message or lost it with other messages. Should I continue updating this topic?

[exile360]

@fr33tux, @Elisabeth could one of you please jump in here to assist with this detection issue/FP?

I just shot him another notification along with Elisabeth who is another member of the team.  One of them should respond soon, but please post again if no one from the staff has replied by Monday evening (they may be out for the weekend so they may not be available until Monday morning).

[jboursier]

Hello,

Sorry for the delay.

For now, my answer is for you to add this detection as an exclusion (right click on it from the results list > Add to exclusions). It's a weird location for HP to use, so it's not being fixed immediately, but we'll look at it.

Thanks,